CVE-2021-44476: [SEC] CVE-2021-44476 - A sandboxing issue in Odoo Community 15.0 and... · Issue #107684 · odoo/odoo

Security Advisory - CVE-2021-44476

Affects: Odoo 15.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2021-44476
Component: Core
Credits: Toufik Ben Jaa

A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise
15.0 and earlier allows authenticated administrators to read local files
on the server, including sensitive configuration files.

I. Background

Odoo includes a sandbox for interpreting dynamic business logic components,
such as the definition of workflows, automated actions, or the dynamic
expressions used within report templates.

The mechanism behind this sandbox is called ‘safe eval’ and keeps the system
safe while allowing advanced customizations. Its role is to execute
user-provided Odoo business logic, while preventing any undesired
effects on the data or the hosting platform - such as could be caused
by accident or by malicious users.

In order to be allowed to customize any of these dynamic business logic
components, one must be an administrator of an Odoo database, or have otherwise
received elevated privileges.

II. Problem Description

The sandbox mechanism can be escaped and allow a malicious administrator to
read local files on the server.

Systems who host Odoo databases for untrusted users are particularly at risk,
(e.g. SaaS platforms), as they typically allow users to become administrators
of their own Odoo database. This is sufficient to exploit the vulnerability.

III. Impact

Attack Vector: Network exploitable
Authentication: Privileged user account required
CVSS3 Score: Medium :: 6.8
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

A malicious administrator might be able to access sensitive files stored on the
server and read protected configuration secrets or the application source code.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

IV. Workaround

No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.

Odoo Cloud servers have been patched as soon as the correction was available.

V. Solution

Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).

For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html

VI. Correction details

The following list contains the patches that fix the vulnerability for
each version:

• 13.0: 1282375
• 14.0: be2c857
• 15.0: affe9d8
• 15.0-ent, 14.0-ent, 13.0-ent (Enterprise): see 15.0, 14.0 and 13.0.